> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
It really depends on the quality (strenght of the teeth, willingness to use it) of the regulator here; we have a lot of similar situation in EU/France and it's always a case that either it creates a new right or it creates a moat, depending on the enforcer.
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
So now the government has all my data and looks at it constantly to avoid it being available to private companies? Sounds like the worst situation possible.
All your data? No, just records of whether or not your a citizen/resident. That seems like pretty important data for any government to have. It's also information the state's records department likely already has. For example, if you have a drivers license with the state or you were born in the state they'll have that documentation.
Unless you are just an anarchist, then I can't see how it's unreasonable for a government to know who it represents. That's why governments do censuses. Heck, that's needed just for the basic function of making sure you aren't voting in multiple districts.
No shit. All data brokery is a poison pill to justify itself. Until you illegalize the entire damn endeavor, it'll find a way to justify it's own existence through malicious compliance.
I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
They could store a normalised, hashed version of your data and use it to filter any incoming datasets. But, of course, why would they?
That wouldn't really work because the hash key has to be both specific enough to be unique to you and also general enough to cover any incomplete data set that matches you.
It would work in many cases, though not all. You would not hash everything together. Instead, you hash normalized identifiers independently, such as email address, phone number, or physical address. An incoming dataset would only need to match one of these to be excluded.
Also often not unique to a person, although email addresses probably tend to have much longer lifespans as identifiers than phone numbers.
If the idea is to have a true opt-out system, it's really really difficult to implement given how these systems work.
If you look at the data provided by services like accurint, you'll frequently see the same SSNs used for decades by multiple different individuals, often with IDs from different states with the same name and DoB despite obviously being different people. With how the system works in the US, it can often be impossible for anyone to determine which physical person the SSN was actually originally assigned to.
Same obviously applies to other identifiers you suggested, but even the seemingly good ones are not very good at uniquely identifying people.
You could of course key on things like SSNs, but data brokers wouldn't be very happy about that because there are lots of SSNs tied to multiple different people.
The government will, given that they're a fairly integral part of how the US economy.
Every single financial institution relies on these data-brokers. U-haul needs data brokers to be able to verify your driver's license, the TSA needs data brokers to let you on a flight without an ID. There are simply countless of reasons for why you wouldn't want to break this system for people who haven't opted in for breakage.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
If I ever stumble upon such an obvious oversight/loophole, I find it's best to not immediately stop, but to ask: "How do they intend to solve this?"
In this case, the first part of the terms of use solves your conundrum:
> By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).
You can see this in action today, if you make the effort to manually remove yourself from data brokers.
Some of the brokers do offer an easy removal process and will handle your request right away, but then your record will reappear after some amount of time, obviously purchased from another broker.
I would not be surprised to discover that these individual brokers are, in fact, owned by the same entity and they merely exchange records periodically.
This is the reason that I choose to use Optery. They have the bandwidth and tools to chase my records on my behalf, for as long as I pay them.
California also requires data brokers to register with the state, creating the (intended) possibility of removing your info fully from all brokers all at once
I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.
Much of the data is just scraped from public records that aren't going away. (Yes, collection/resale of those records should be restricted...there is good reason for some types to at least be available)
I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.
By that time the data brokers might have sold off the data to others outside USA. may they already have. This is just US law, it will not affect India, China, Russia, etc data brokers
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
"consumer" is the language in the CCPA (which had its origins in a ballot initiative); most general privacy laws in the states are designed as consumer protection laws rather than civil rights like in the EU.
Which will never happen in a million years with the current regime. Which is exactly why corporations put them there -- to ensure industry will not be regulated (unless you're not paying protection money).
I always wondered about a possible loophole in opt-out.
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
I don't see them being on the resident's side when it comes to something as valuable as data.
I agree with you on this. They'll play the loop hole long enough that by then your data has conjoined and transverses into some other data: it has served it's purpose.
For people in general these data brokers are a primary source of information for spammers, both political and semi-targeted. So they share responsibility for making calls from unknown numbers useless.
Depends on what kind of life you live, daily. If you're totally inoffensive and not being bold about anything, not interacting with people in meaningful way, such that no one could possibly be motivated to use the information to track you down and hurt you, then, practically speaking, you're too boring to be of note. But if you are interesting to someone. Maybe you're the other person in an affair, or you're active online in some sort of fashion; if you stick out in some way, then they, whomever you've pissed off, is gonna track you down thanks to such data leaks. Personally, an ex girlfriend just got into a fight with her latest beau, and for some reason I came up, and he was able to track me down to tell me exactly what he thought about I don't know what. Not having that information out there would make me safer when the woman at the bar I made out with turns out to be married to a jealous and violent police officer.
Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
Indeed. The CCPA is welcome, but this explicit opt-out just means that only broccoli of the technical caliber that frequents HN will realistically benefit from the law. This needs to go a step further and make opt-out the default for all to benefit. And it is the social duty of the technical broccoli that understand these things that need to push this for everyone's benefit.
Are you willing to take a significant salary cut to benefit people?
All the big tech companies, Google, Meta, Netflix, etc make a huge amount of money by using Ads to push things people don't need onto them, brainwashing people. This brainwashing is massively more effective with data-collection.
If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
Salaries in the US might drop from ~$500k to $250k for an average software engineer. Would you be willing to take that sort of cut?
You could also "vote with your feet" and move to europe where the GDPR protects everyone like you want, and your salary will drop to maybe $100k USD.
> If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
I’d like to see data on this. Obviously Oracle and Meta and companies that agressively track you would be impacted, but how much would Google search be changed if it wasn’t personalized? Would there be a meaningful financial impact?
Also as far as I understand, data brokers tend to exclude meta, Google, et al because they don’t sell their data they just use it internally. This could further entrench these players more.
I'm not sure I fully agree that they shouldn't be allowed to use the active search query for picking ads, if that's what you're implying by "curious about". AFAIK that's the main (exclusive?) signal for Google's SERP ads.
thats a strawman, its not like advertisement & brainwashing people is the only way to make money in tech. I am old enough to have seen how valley was before this big-tech ad garbage showed up. In fact I'd say all this power with 7 or so big tech is hindering innovation, so, IMnsHO Fuck 'em all.
Asking 300M people to leave country and move to europe instead of fixing problems here is just stupid and at best a shoddy attempt at victim blaming.
You also have to live somewhere for the majority of the year to be a resident. I would assume GP has responsibilities elsewhere that make it impossible to be a resident
The tax savings (let alone cost of living savings) of avoiding California for most readers of this comment would pay for a professional data removal service 100x.
I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.
You can go back by the year. Though I ended up hitting another roadblock down the road yesterday. So, I am currently waiting a couple of weeks for the flow to be functional.
> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
I'm seeing a problem here...
It really depends on the quality (strenght of the teeth, willingness to use it) of the regulator here; we have a lot of similar situation in EU/France and it's always a case that either it creates a new right or it creates a moat, depending on the enforcer.
Ah California.
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
So now the government has all my data and looks at it constantly to avoid it being available to private companies? Sounds like the worst situation possible.
All your data? No, just records of whether or not your a citizen/resident. That seems like pretty important data for any government to have. It's also information the state's records department likely already has. For example, if you have a drivers license with the state or you were born in the state they'll have that documentation.
Unless you are just an anarchist, then I can't see how it's unreasonable for a government to know who it represents. That's why governments do censuses. Heck, that's needed just for the basic function of making sure you aren't voting in multiple districts.
No shit. All data brokery is a poison pill to justify itself. Until you illegalize the entire damn endeavor, it'll find a way to justify it's own existence through malicious compliance.
No, see they are unhackable because they are government contractors. /s
Additional context:
https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...
https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...
https://cppa.ca.gov/data_broker_registry/
https://cppa.ca.gov/announcements/
Here's hoping other states follow suit.
How does this work over time?
Do you have to keep submitting this every month as they recollect your info from databases in other states?
Seems great in concept but I am skeptical this will change much.
Data doesn't respect state lines.
I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
They could store a normalised, hashed version of your data and use it to filter any incoming datasets. But, of course, why would they?
That wouldn't really work because the hash key has to be both specific enough to be unique to you and also general enough to cover any incomplete data set that matches you.
It would work in many cases, though not all. You would not hash everything together. Instead, you hash normalized identifiers independently, such as email address, phone number, or physical address. An incoming dataset would only need to match one of these to be excluded.
> physical address
Not unique to a person
> email address, phone number
Also often not unique to a person, although email addresses probably tend to have much longer lifespans as identifiers than phone numbers.
If the idea is to have a true opt-out system, it's really really difficult to implement given how these systems work.
If you look at the data provided by services like accurint, you'll frequently see the same SSNs used for decades by multiple different individuals, often with IDs from different states with the same name and DoB despite obviously being different people. With how the system works in the US, it can often be impossible for anyone to determine which physical person the SSN was actually originally assigned to.
Same obviously applies to other identifiers you suggested, but even the seemingly good ones are not very good at uniquely identifying people.
You could of course key on things like SSNs, but data brokers wouldn't be very happy about that because there are lots of SSNs tied to multiple different people.
Won't somebody think of the data brokers!?
The government will, given that they're a fairly integral part of how the US economy.
Every single financial institution relies on these data-brokers. U-haul needs data brokers to be able to verify your driver's license, the TSA needs data brokers to let you on a flight without an ID. There are simply countless of reasons for why you wouldn't want to break this system for people who haven't opted in for breakage.
It is a delete request. Your behavior may change and is on you. So, if you always don’t consent, nothing to delete.
That isn't how the collection of data works.
It's not like brokers wait around for you to sign up for something new.
Old data is resold, merged with new data, mixed, stolen, discovered, reformatted... etc...
Your actions of course do have an impact, but does changing your behavior prevent the outcome of your data being collected?
Not even close.
But you did consent every time you agree to some TOS you don't read. This is, of course, stretching the definition of consent, but legally you did.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
If I ever stumble upon such an obvious oversight/loophole, I find it's best to not immediately stop, but to ask: "How do they intend to solve this?"
In this case, the first part of the terms of use solves your conundrum:
> By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).
You can see this in action today, if you make the effort to manually remove yourself from data brokers.
Some of the brokers do offer an easy removal process and will handle your request right away, but then your record will reappear after some amount of time, obviously purchased from another broker.
I would not be surprised to discover that these individual brokers are, in fact, owned by the same entity and they merely exchange records periodically.
This is the reason that I choose to use Optery. They have the bandwidth and tools to chase my records on my behalf, for as long as I pay them.
CloudFlare just decided I’m not a person, so I’m unable to access the website.
They decided that my niche phone's stock browser is not good for internet oligopolies.
This was already the law, correct? The change here is that California now provides its own platform for submitting requests?
California also requires data brokers to register with the state, creating the (intended) possibility of removing your info fully from all brokers all at once
Or these databrokers just won’t setup bank accounts or offices in the state and tell CA to go screw itself?
As a Californian: I don't want their business.
You aren’t their customer. You are their product.
I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.
Much of the data is just scraped from public records that aren't going away. (Yes, collection/resale of those records should be restricted...there is good reason for some types to at least be available)
I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.
> Processing begins August 1, 2026.
By that time the data brokers might have sold off the data to others outside USA. may they already have. This is just US law, it will not affect India, China, Russia, etc data brokers
I love the idea. A few thoughts though:
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
"consumer" is the language in the CCPA (which had its origins in a ballot initiative); most general privacy laws in the states are designed as consumer protection laws rather than civil rights like in the EU.
I’d love to have a federal version of this.
Which will never happen in a million years with the current regime. Which is exactly why corporations put them there -- to ensure industry will not be regulated (unless you're not paying protection money).
The previous regime, and the one before that didn’t do it either, so I think the obstacle might be something more systemic.
There is only one sensible default, and that is opt-in. Requiring submission of a request to opt-out is never an acceptable solution.
I always wondered about a possible loophole in opt-out.
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
I don't see them being on the resident's side when it comes to something as valuable as data. I agree with you on this. They'll play the loop hole long enough that by then your data has conjoined and transverses into some other data: it has served it's purpose.
I signed up for it (took about 5 minutes). I'm cautiously optimistic about it having positive return on that investment.
One of the best things I have done is sign up for DMAchoice and optoutprescreen.com which has completely stopped junk mail for me.
Curious, practically speaking, how much does this impact people's lives daily?
Asking as a non-ca resident.
For people in general these data brokers are a primary source of information for spammers, both political and semi-targeted. So they share responsibility for making calls from unknown numbers useless.
Depends on what kind of life you live, daily. If you're totally inoffensive and not being bold about anything, not interacting with people in meaningful way, such that no one could possibly be motivated to use the information to track you down and hurt you, then, practically speaking, you're too boring to be of note. But if you are interesting to someone. Maybe you're the other person in an affair, or you're active online in some sort of fashion; if you stick out in some way, then they, whomever you've pissed off, is gonna track you down thanks to such data leaks. Personally, an ex girlfriend just got into a fight with her latest beau, and for some reason I came up, and he was able to track me down to tell me exactly what he thought about I don't know what. Not having that information out there would make me safer when the woman at the bar I made out with turns out to be married to a jealous and violent police officer.
or if you just don’t want manosphere, conspiracy, gender war and partisan echo chamber content, this is a way to reset the algorithm
That is entirely based on first party activity history which is nothing to do with the data brokers.
Data brokers ensures you see the same content on other networks
Even if your only activity was commenting in disagreement
The word "request" sounds very passive, but it seems data brokers actually have to abide to be in accordance with the law?
This is a dangerous precedent for the boundaries of ownership.
Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
Why data brokers are allowed to collect your data without an explicit consent in the first place is a question no one yet seems to address.
Indeed. The CCPA is welcome, but this explicit opt-out just means that only broccoli of the technical caliber that frequents HN will realistically benefit from the law. This needs to go a step further and make opt-out the default for all to benefit. And it is the social duty of the technical broccoli that understand these things that need to push this for everyone's benefit.
As one of the technical broccoli like you, I think this is a good sentiment, but it would be much harder to legislate.
GDPR works like this. You need consent to process data vs the US whwre its just a free for all
Im theory yes. In practice, we have "legitimate interest".
Are you willing to take a significant salary cut to benefit people?
All the big tech companies, Google, Meta, Netflix, etc make a huge amount of money by using Ads to push things people don't need onto them, brainwashing people. This brainwashing is massively more effective with data-collection.
If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
Salaries in the US might drop from ~$500k to $250k for an average software engineer. Would you be willing to take that sort of cut?
You could also "vote with your feet" and move to europe where the GDPR protects everyone like you want, and your salary will drop to maybe $100k USD.
> If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
I’d like to see data on this. Obviously Oracle and Meta and companies that agressively track you would be impacted, but how much would Google search be changed if it wasn’t personalized? Would there be a meaningful financial impact?
Also as far as I understand, data brokers tend to exclude meta, Google, et al because they don’t sell their data they just use it internally. This could further entrench these players more.
They shouldn’t be allowed to use things you’re curious about to target you. That’s abusive. So given that, they’d just have to show generic ads.
I'm not sure I fully agree that they shouldn't be allowed to use the active search query for picking ads, if that's what you're implying by "curious about". AFAIK that's the main (exclusive?) signal for Google's SERP ads.
Well, everyone thinks their pet advertising should be exempt from privacy protection so that's unsurprising.
I don't work for ads.
You think the average software engineer in the US makes half a million dollars?
thats a strawman, its not like advertisement & brainwashing people is the only way to make money in tech. I am old enough to have seen how valley was before this big-tech ad garbage showed up. In fact I'd say all this power with 7 or so big tech is hindering innovation, so, IMnsHO Fuck 'em all.
Asking 300M people to leave country and move to europe instead of fixing problems here is just stupid and at best a shoddy attempt at victim blaming.
All those TOS you just click the box and don't read give companies permission to sell your data to third parties.
I'm feeling left out. I've got a house in California, but I'm no longer a resident. I wish this law was also applicable to me.
Be a resident, pay the taxes, reap the benefits.
You also have to live somewhere for the majority of the year to be a resident. I would assume GP has responsibilities elsewhere that make it impossible to be a resident
I would also like the benefits of places I am unable to reside in!
If you have a house in CA they will tax you anyway so might as well.
The tax savings (let alone cost of living savings) of avoiding California for most readers of this comment would pay for a professional data removal service 100x.
I’d rather it be government enforced/my right and not a privilege I have to pay out the ass for, personally.
Yeah, but then you don't get to live in California.
[dupe] Discussion: https://news.ycombinator.com/item?id=46449694
I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
"Request," sure.
Enforce?
The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.
You can go back by the year. Though I ended up hitting another roadblock down the road yesterday. So, I am currently waiting a couple of weeks for the flow to be functional.
FWIW not true on safari on iOS, direct month entry works fine
There’s a tiny blue arrow in the widget that lets you scroll to a year (iOS Firefox)
Worked fine on Safari on macOS.